libxml2: CVE-2017-0663

A remote code execution vulnerability in libxml2 could enable an attacker using a specially crafted file to execute arbitrary code within the context of an unprivileged process. This issue is rated as High due to the possibility of remote code execution in an application that uses this library. Reference: https://security-tracker.debian.org/tracker/CVE-2017-0663 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-09-06 11:01:07 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-09-06 13:02:36 +0200
commit: f51f71b2da372e3eaaa1d47c7e01724b2b8867ed (patch)
tree: 23bf30c50c1412996b8aea1fdba0b7c666b379c7
parent: bf4d84df078cb19f1702f42a94c873026aa72e1d (diff)
download: meta-el-common-f51f71b2da372e3eaaa1d47c7e01724b2b8867ed.tar.gz
2 files changed, 49 insertions, 1 deletions
diff --git a/recipes-core/libxml/libxml2/CVE-2017-0663.patch b/recipes-core/libxml/libxml2/CVE-2017-0663.patch
new file mode 100644
index 0000000..a4f88b6
--- /dev/null
+++ b/recipes-core/libxml/libxml2/CVE-2017-0663.patch
@@ -0,0 +1,47 @@
+From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
+From: Nick Wellnhofer <wellnhofer@aevum.de>
+Date: Tue, 6 Jun 2017 12:56:28 +0200
+Subject: Fix type confusion in xmlValidateOneNamespace
+Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
+namespace declarations make no practical sense anyway.
+Fixes bug 780228.
+Found with libFuzzer and ASan.
+CVE: CVE-2017-0663
+Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ valid.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/valid.c b/valid.c
+index 8075d3a..c51ea29 100644
+--- a/valid.c
+++ b/valid.c
+@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+        }
+     }
+ 
+    /*
+     * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
+     * xmlAddID and xmlAddRef for namespace declarations, but it makes
+     * no practical sense to use ID types anyway.
+     */
+#if 0
+     /* Validity Constraint: ID uniqueness */
+     if (attrDecl->atype == XML_ATTRIBUTE_ID) {
+         if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar *prefix, xmlNsPtr ns, const xmlChar *value) {
+         if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
+            ret = 0;
+     }
+#endif
+ 
+     /* Validity Constraint: Notation Attributes */
+     if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
+-- 
+cgit v0.12
diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend
index c6e5705..01e59d3 100644
--- a/recipes-core/libxml/libxml2_%.bbappend
+++ b/recipes-core/libxml/libxml2_%.bbappend
@@ -1,7 +1,8 @@
 # look for files in the layer first
 FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
-SRC_URI += "file://CVE-2017-5969.patch \
+SRC_URI += "file://CVE-2017-0663.patch \
+            file://CVE-2017-5969.patch \
            file://CVE-2017-9047_CVE-2017-9048.patch \
            file://CVE-2017-9049_CVE-2017-9050.patch \
           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-09-06 11:01:07 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-09-06 13:02:36 +0200
commit	f51f71b2da372e3eaaa1d47c7e01724b2b8867ed (patch)
tree	23bf30c50c1412996b8aea1fdba0b7c666b379c7
parent	bf4d84df078cb19f1702f42a94c873026aa72e1d (diff)
download	meta-el-common-f51f71b2da372e3eaaa1d47c7e01724b2b8867ed.tar.gz

diff --git a/recipes-core/libxml/libxml2/CVE-2017-0663.patch b/recipes-core/libxml/libxml2/CVE-2017-0663.patch new file mode 100644 index 0000000..a4f88b6 --- /dev/null +++ b/recipes-core/libxml/libxml2/CVE-2017-0663.patch
@@ -0,0 +1,47 @@
		1	From 92b9e8c8b3787068565a1820ba575d042f9eec66 Mon Sep 17 00:00:00 2001
		2	From: Nick Wellnhofer <wellnhofer@aevum.de>
		3	Date: Tue, 6 Jun 2017 12:56:28 +0200
		4	Subject: Fix type confusion in xmlValidateOneNamespace
		5
		6	Comment out code that casts xmlNsPtr to xmlAttrPtr. ID types on
		7	namespace declarations make no practical sense anyway.
		8
		9	Fixes bug 780228.
		10
		11	Found with libFuzzer and ASan.
		12	CVE: CVE-2017-0663
		13	Upstream-Status: Backport [https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66]
		14
		15	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		16	---
		17	valid.c \| 7 +++++++
		18	1 file changed, 7 insertions(+)
		19
		20	diff --git a/valid.c b/valid.c
		21	index 8075d3a..c51ea29 100644
		22	--- a/valid.c
		23	+++ b/valid.c
		24	@@ -4627,6 +4627,12 @@ xmlNodePtr elem, const xmlChar prefix, xmlNsPtr ns, const xmlChar value) {
		25	}
		26	}
		27
		28	+ /*
		29	+ * Casting ns to xmlAttrPtr is wrong. We'd need separate functions
		30	+ * xmlAddID and xmlAddRef for namespace declarations, but it makes
		31	+ * no practical sense to use ID types anyway.
		32	+ */
		33	+#if 0
		34	/* Validity Constraint: ID uniqueness */
		35	if (attrDecl->atype == XML_ATTRIBUTE_ID) {
		36	if (xmlAddID(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
		37	@@ -4638,6 +4644,7 @@ xmlNodePtr elem, const xmlChar prefix, xmlNsPtr ns, const xmlChar value) {
		38	if (xmlAddRef(ctxt, doc, value, (xmlAttrPtr) ns) == NULL)
		39	ret = 0;
		40	}
		41	+#endif
		42
		43	/* Validity Constraint: Notation Attributes */
		44	if (attrDecl->atype == XML_ATTRIBUTE_NOTATION) {
		45	--
		46	cgit v0.12
		47


diff --git a/recipes-core/libxml/libxml2_%.bbappend b/recipes-core/libxml/libxml2_%.bbappend index c6e5705..01e59d3 100644 --- a/recipes-core/libxml/libxml2_%.bbappend +++ b/recipes-core/libxml/libxml2_%.bbappend
@@ -1,7 +1,8 @@
1	# look for files in the layer first	1	# look for files in the layer first
2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3		3
4	SRC_URI += "file://CVE-2017-5969.patch \	4	SRC_URI += "file://CVE-2017-0663.patch \
		5	file://CVE-2017-5969.patch \
5	file://CVE-2017-9047_CVE-2017-9048.patch \	6	file://CVE-2017-9047_CVE-2017-9048.patch \
6	file://CVE-2017-9049_CVE-2017-9050.patch \	7	file://CVE-2017-9049_CVE-2017-9050.patch \
7	"	8	"